Walkera DEVO Tx Hacking - Page 19 - RC Groups
Shop our Airplanes Products Drone Products Sales
Thread Tools
Apr 05, 2012, 05:20 PM
Registered User
Originally Posted by PhracturedBlue
I wouldn't do that. USB uses 5V. the walkera Tx are all built around a 3.3V system. You definitely need to ensure that the voltages are ok, otherwise you could break something.
+1, please don't wire anything up until we've had time to check. You don't want to let the magic smoke out....
Sign up now
to remove ads between posts
Apr 05, 2012, 05:57 PM
Registered User
Originally Posted by rcH4x0r

I will do some more detailed analysis of the code tomorrow but it's bedtime here in Europe...
light weight! bet if you had your dev tx you wouldn't go to bed
Apr 05, 2012, 06:30 PM
Registered User
Atomic Skull's Avatar
Originally Posted by FDR_
Wow, congrats!

That is the most common sw "bug" in the DEVO land, that the tx restarts after turning off. It happens when a simple DEVO 8 gets the firmware of the 8S, or even happens when someone uses some lipos. After all the power switch is not a real one but only a software switch...
Also happens if you turn off the transmitter with a wall charger plugged into it.
Apr 05, 2012, 06:37 PM
Registered User
Atomic Skull's Avatar
Originally Posted by mescalinedream
I dont know who else to ask. it seems if anyone would know the answer to this question then you guys would.
The UP-02 is now available at hobbyone.hk. If you have no idea what this is then I will tell you. Walkera made updates available for all radios. I have a Devo 7 and went to their website to download the new updates. In their update software there was a .pdf that had said "to update your Devo 7 you will need the UP-02 dongle" I loooked in my Minicp rtf box with Devo7 and there is no UP-02!
I contacted Walkera and there reply was " the dongle will be available soon". I could not believe they had a update available but no way to use it. 3-10-12 is when I emailed Walkera, they just responded today.

So here is the new dongle

Its going to cost 16.00 + 18.77 for for the cheapest shipping rate to Michigan according to hobbyone.hk site!. I would think the official updater dongle should be free or a little cheaper.

So instead of paying 34.77 to update my devo 7, can i use something other then the official UP-02 updater dongle? Also, it seems Walkera has a Sim dongle called UB-001, the stereo end/trs has only 1 black ring, The UP-01 has 2 black rings on the mini 3.5mm cable end.
Wait for it to show up at ehirobo.com and you'll pay about $4 to ship it to the US. I don't remember Hobbyking being that expensive on shipping though. I just ordered an HK 450GT and a bunch of stuff to put into it and a bunch of spares and it was only $30 shipping. (it's a good idea to order lipos from the US warehouse though because even though they cost more shipping lipos overseas is expensive and you save overall on the cheaper shipping)
Apr 05, 2012, 07:05 PM
Registered User
Originally Posted by Atomic Skull
I don't remember Hobbyking being that expensive on shipping though.
You've been confused. :-)

hobbyone.com.hk only does EMS/UPS type shipping. HobbyKing is a completely different outfit.
Apr 05, 2012, 08:02 PM
Registered User

RX 801 firmware 2 versions

Originally Posted by FDR_
I guess he meant the rx firmware should be new! So according to him there might be different versions of the rx801...
Apr 06, 2012, 02:23 AM
Registered User
FDR_'s Avatar
Originally Posted by PhracturedBlue
Which firmware are you using (can you send the checksum so I can verify I'm on the right one?) It probably makes sense for us to work on the same firmware so we can compare notes. I had moved to the 0.7B fw: DEVO-8 Fw v0.7B.dfu, but I'll use whatever you've been looking at so we can more easily share notes.
Do you have the 10mw version? That's what the B versions for...
Also I thought you have a DEVO 8S, for which are the "DEVO-8 FWDT v0.7A.dfu" versions.

Me, I have the original DEVO 8, so so far I use the "DEVO-8 FW v0.7A.dfu". I would like to discover all the model data before I upgrade to the "DEVO-8 FWDT v0.7A.dfu" with the new RF module...
Apr 06, 2012, 04:49 AM
Registered User
FDR_'s Avatar
Originally Posted by PhracturedBlue
I wish you had yours too...'cause I'm learning that I've got a lot to learn before I'm competent at working with this thing.
Yeah, I realized that too!
It's a few hundred pages to read and undertand...

15-20 years passed since last time I was involved in MCU programming. That was the 8bit 805x family. They were a lot simpler, but i'm trying to catch up...
Apr 06, 2012, 06:56 AM
Registered User
Ok, I did a bit more digging:

Here's the function I will call "SaveModel"

ROM:08027E4E MOV R4, R0
ROM:08027E50 MOV R5, R1
ROM:08027E52 LDR R0, =0x38305644 ; //<< "DV08"
ROM:08027E54 STR R0, [R4] //Write magic at start of buffer
ROM:08027E56 MOVS R1, #9
ROM:08027E58 ADDS R0, R4, #4
ROM:08027E58 ; ---------------------------------------------------------------------------
ROM:08027E5A DCB 0xDC ; _
ROM:08027E5B DCB 0xF7 ; ž
ROM:08027E5C ; ---------------------------------------------------------------------------
ROM:08027E5C loc_8027E5C ; CODE XREF: ROM:08027ED6
ROM:08027E5C STRSH.W R1, [R12,#0xC6A]
ROM:08027E60 ADD R1, SP, #0x28
ROM:08027E62 ADDS R0, R4, #4
ROM:08027E64 BL loc_802959C
ROM:08027E68 ; ---------------------------------------------------------------------------
ROM:08027E68 MOVS R0, #0
ROM:08027E6A STRB R0, [R4,#0xD]
ROM:08027E6C MOV R0, R4
ROM:08027E6E BL CopyModelData ; R0 - Buffer, populate the buffer with the model data
ROM:08027E72 MOVS R0, #0
ROM:08027E74 STRB.W R0, [R12,#0x38F]
ROM:08027E78 STR.W R0, [R12,#0x390] //Zero out the CRC?
ROM:08027E7C MOV R0, R4
ROM:08027E7E BL WriteModelData_Maybe ; R0 Buffer, dunno for sure havent looked in detail yet
ROM:08027E82 ; ---------------------------------------------------------------------------
ROM:08027E82 STR.W R0, [R12,#0x394]
ROM:08027E86 STMIA R5, {R4-R6}
ROM:08027E86 ; ---------------------------------------------------------------------------
ROM:08027E88 dword_8027E88 DCD 0x38305644 ; DATA XREF: ROM:08027E52

The function "CopyModelData" is interesting, it populates the 4K buffer with the model data to be save to saved to flash:

ROM:080280A8 CopyModelData ; CODE XREF: ROM:08027E6Ep
ROM:080280A8 PUSH.W {R4-R8,LR} ; R0 - Buffer
ROM:080280AC MOV R4, R0
ROM:080280AE ADD.W R7, R4, #0x14
ROM:080280B2 ADDW R8, R4, #0x38F
ROM:080280B6 SUBS.W R8, R0, R7
ROM:080280BA MOV R1, R8
ROM:080280BC MOV R0, R7
ROM:080280BE BL MemZero ; R0 - Ptr
ROM:080280BE ; R1 - Length
ROM:080280C2 MOVS R5, #0
ROM:080280C4 B loc_80280D2 ; for(ctr=0;ctr<6;ctr++)
ROM:080280C4 ; {
ROM:080280C4 ; ptr->(0x0E + ctr) = 0x04
ROM:080280C6 ; ---------------------------------------------------------------------------
ROM:080280C6 loc_80280C6 ; CODE XREF: ROM:080280D4j
ROM:080280C6 MOVS R1, #4
ROM:080280C8 ADD.W R0, R4, #0xE
ROM:080280CC STRB R1, [R0,R5]
ROM:080280CE ADDS R0, R5, #1
ROM:080280D0 REVSH R5, R1
ROM:080280D2 loc_80280D2 ; CODE XREF: ROM:080280C4j
ROM:080280D2 CMP R5, #6
ROM:080280D4 BLT loc_80280C6 ; }
ROM:080280D6 MOVS R5, #0


ROM:080280EA MOVS R1, #2
ROM:080280EC MOVS R0, #0x50
ROM:080280EE STRB R1, [R0,R4] ; ptr->0x50 = 0x02
ROM:080280F0 MOVS R0, #5
ROM:080280F2 STRB.W R0, [R12,#0x4A] ; ptr->0x4A = 0x05
ROM:080280F6 MOVS R1, #1
ROM:080280F8 MOVS R0, #0x4B
ROM:080280FA STRB R1, [R0,R4] ; ptr->0x4B = 0x01
ROM:080280FC MOVS R1, #0
ROM:080280FE MOVS R0, #0x4C
ROM:08028100 STRB R1, [R0,R4] ; ptr->0x4C = 0x00
ROM:08028102 MOVS R1, #4
ROM:08028104 MOVS R0, #0x4D
ROM:08028106 STRB R1, [R0,R4] ; ptr->0x4D = 0x04
ROM:08028108 LDRB R6, [R4,#0xD]
ROM:0802810A STMIA R3!, {R1,R2,R4}
ROM:0802810C MOVS R0, #6
ROM:0802810E STRB.W R0, [R12,#0x53] ; ptr->0x53 = 0x06
ROM:08028112 MOVS R0, #1
ROM:08028114 STRB.W R0, [R12,#0x56] ; ptr->0x56 = 0x01

Looking in the Genius_CP.bin file it's pretty clear this code is populating the buffer prior to saving the model data to flash

So, what to do? I suggest we patch the "CopyModelData" fill the buffer pointed to by R0 with (part) of the bootloader. The model data is 4K and the region of flash we are interested in is 16K, therefore, we are going to need to do it in 4 chunks Probably 8*2K would be better because of the magic and CRC

Note I may be wrong about the function "WriteModelData_Maybe", if necessary we can dig into that some more.

Access to the bootloader may turn out to useful and more people will want to dump it. If so, we can refine the hack to dump the chunks to 4 different model slots.

The reason that someone may want to dump the bootloader is I _think_ it holds config data as well as the bootloader. I found initialisation code that is checking for ASCII "6" and "8"....

PB: Let me know if you need help coding up the "Copy Bootloader to buffer" patch.

Edit: Looks like code at 0x08004174 is memcpy (R0 dest, R1 source, R2 length)
Last edited by rcH4x0r; Apr 06, 2012 at 07:31 AM. Reason: More info
Apr 06, 2012, 07:57 AM
Registered User
Here is the replacement code I came up with for CopyModelData:
   LDR    R1, =startaddr
   LDR    R2, =endaddr
   LDR    R3, [R1]
   STR    R3, [R0]
   ADD    R1, R1, #4
   ADD    R0, R0, #4
   CMP    R1, R2
   BNE    Loop
   MOV    PC, LR

.equ startaddr, 0x08000000
.equ endaddr,   0x08000800
I think it will copy the 1st 2048 bytes into the address stored in R0. I'll compile it into my dfu and give it a shot

Edited again for bad addresses
Last edited by PhracturedBlue; Apr 06, 2012 at 09:06 AM. Reason: Now it actually compiles :)
Apr 06, 2012, 08:04 AM
Registered User
I believe you should exit the function with

pop {R4, PC}

That's what the original code is doing (I think)
Last edited by rcH4x0r; Apr 06, 2012 at 08:12 AM.
Apr 06, 2012, 08:11 AM
Registered User
Originally Posted by rcH4x0r
I believe you should exit the function with

pop {R4, PC}

That's what the original code is doing
But isn't that just because they did this:
which I don't need, since I'm only using 3 registers.
BL stores the return in LR, so moving LR to PC should be good enough
Apr 06, 2012, 08:20 AM
Registered User
Y, but you still need to get R4 off the stack or it's going to be out of sync once the function returns
Apr 06, 2012, 08:42 AM
Registered User
Holy crap! My Devo8 just arrived
Apr 06, 2012, 08:47 AM
Registered User
FDR_'s Avatar
Originally Posted by rcH4x0r
Holy crap! My Devo8 just arrived
It is a 8S or simple 8?

Thread Tools

Similar Threads
Category Thread Thread Starter Forum Replies Last Post
Wanted Broken Walkera Devo and Spektrum tx itsmillertime Aircraft - General - Radio Equipment (FS/W) 1 Mar 20, 2012 05:37 AM
For Sale Walkera Devo 7 TX/Devo RX2625H Combo for sale Tom Z Aircraft - General - Radio Equipment (FS/W) 0 Oct 06, 2011 01:33 PM
For Sale Walkera Devo 7 TX/Devo RX2625H Combo for sale Tom Z Aircraft - Electric - Helis (FS/W) 0 Oct 05, 2011 12:38 PM
Discussion New Walkera Devention Devo 12 TX w/ Touch-Screen hobbypartz Radios 2 May 09, 2011 12:38 AM
Discussion New Walkera Devention Devo 12 TX w/ Touch-Screen hobbypartz XHeli 0 May 06, 2011 12:19 AM